Mozilla, Apple Respond To DigiNotar Certificate Threat

September 10, 2011

In the wake of the DigiNotar threat, Apple patched their Mac OS X software to remove the Dutch certificate issuer from their list of trusted providers, while Firefox developer Mozilla issued an ultimatum to certificate authorities to improve their security or face being blocked.

According to BBC News, Mozilla sent a warning to certificate authorities (CAs), advising that they had until September 16 ensure that their security had not been compromised. If they cannot prove that their internal networks were adequately protected, as well as demonstrate what steps they are taking to make sure that fake certificates are not being generates, they will revoke secure website clearances.

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe,” Kathleen Wilson, module owner of Mozilla’s CA Certificates Module, wrote in an open letter to those certificate issuers, according to Elinor Mills of CNET.

“Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve,” she added. “Thank you for your participation in this pursuit.”

Also on Friday, Apple removed DigiNotar from their list of trusted root certificates.

A security bulletin issued by the Mac OS X developers and reprinted in a Sept. 9 article by Loek Essers of IDG News said: “”Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.”

The company also reported that they would not “disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” a policy that was criticized by security experts.

Roel Schouwenberg, a security researcher at Kaspersky, told Essers that Apple’s security-issue communications policy was “disturbing” and “really old-fashioned,” adding that the security update was “very late” and that the company still has yet to address possible certificate-related security issues for its iOS iPod, iPad, and iPhone mobile operating system.

On Tuesday, Computer World writer Gregg Keizer said, Microsoft updated Windows to block all DigiNotar-issued secure socket layer (SSL) certificates. Mills also reported that Adobe said that they were in the process of removing the company’s certificates from the Adobe Approved Trust List, and were providing instructions for so that users could manually remove the certificates from their Reader and Acrobat software.

According to Mills, DigiNotar “revealed last week that it had discovered a breach in its system on July 19 that had enabled someone to issue what turned out to be more than 500 fraudulent certificates, including one that was used to spoof the Google.com domain. Google said the incident primarily affected people in Iran, possibly as many as 300,000, according to a Dutch forensics report.”

As previously reported here on RedOrbit, a hacker identified as “Comodohacker” claimed responsibility for attacking the company.

The individual identified himself as a 21-year-old Iranian student (though some suspect he may actually be Turkish), and said that the attack was perpetrated to punish the Dutch government for the 1995 deaths of 8,000 Muslims in Srebrenica during the Bosnian War.